Threat Gets a Vote Applying a Threat Based
Threat Gets a Vote Applying a Threat Based Approach to Security Testing Joe Vest - @joevest
Background • 17+ years IT (10+ Info. Sec) • Co-founder of MINIS (Merged with Specter. Ops late 2017) • Red Teamer – Threat Emulator • Author of SANS SEC 564 Red Team Operations and Threat Emulation • Some letters behind my name. • OSCP, GMOB, GCFA, GWAPT, GPEN, GCIH, CISSP, CISA, others… -2 - Who is Specter. Ops? • Blood. Hound • Empire • Power. Sploit • Kee. Thief • Cobalt. Strike • Domain. Hunter • Many others
Outline • Security Operations Design • What is a threat? • Introduction to threat based testing • Compare and contrast to other security testing types • How to apply threat focused engagements -3 -
Security Operations Design • Comprehensive security programs are not an easy • Pressures from every direction • customers, compliance, management, peers, budget, public opinion, and news. • Organizations are generally able to overcome challenges and implement what is considered to be a robust security program • Able to please various parties and describe a strong security program designed to stop malicious cyber-attack • Audit and compliance checks pass with a green light • Robust patch management systems are deployed • Vulnerability assessments and penetration tests are conducted. • In general, the organizations have good security hygiene. -4 -
What is one of the most significant drivers on information security spending? -5 -
IT Security Spending Trends, Barbara Filkins, February 2016 (https: //www. sans. org/reading-room/whitepapers/analyst/security-spending-trends-36697) -6 -
Security Misconception: Compliance == Security Definitions • Security (se ·cu ·ri ·ty) [si-kyoor-i-tee] noun • Precautions taken to guard against crime, attack, sabotage, espionage. • Compliance (com ·pli ·ance)[kuhm-plahy-uhns] noun • Conformity; accordance: inare compliance with orders. Why we spending on complianc e? So, if I am compliant, I will be secure from attack? To Be Secure ! well, not exactly… Then why do compliance? to be secure ? Compliance Leadership -7 -
Shortcomings to Security Operations Design • Who is responsible for design and implementation? • Where does the information come from? • Have you (or someone on the team) attacked and compromised a network? • To what extent? • Do you include threat on security decision making? -8 -
Are organizations really building security programs designed to address the threat? -9 -
What is a Threat? Threat /THret/ Noun: threat, plural noun: threats Defense commonly focuses on a threat as a ‘thing’ (Malware, botnet, virus, etc) • a person or thing likely to cause damage or danger. What about the person (threat-actor) Risk = Threat X Vulnerability behind the malware? -10 -
Where is the Threat in Security Planning? • Good intentions by intelligent people do not add up to understanding threats or how they operate. • If the goal of security operations is to protect against malicious attack from a threat, it only makes sense to include the opinions of those who you are defending against. -11 -
Why do Threats Succeed? • Consider a threat as an intelligent person bent on causing harm • NOT an exploit of a vulnerability • NOT a piece of malware • NOT a phishing attack • Organizations use audit and compliance, vulnerability assessments, and penetration testing to evaluate and measure risk to cyber-attack • Threat-actors know tools are deployed to stop cyber-attacks • Real threat-actors often take actions that may NOT be used during standard security assessments -12 -
Why Bother with a Threat Based Approach? Isn’t identification and mitigation of vulnerabilities enough? -13 -
Consider This Scenario Users Threat File Share Data base DC -14 -
Think About • Could your current security program prevent, detect, or respond to this threat? • Are you sure? Have you verified this? • What are the key indictors left by the threat that may aid Blue? • Can you identify the threat by their actions or indicators? -15 -
A Threat Will… -16 -
Organizations often have the wrong mindset of security defense • Vulnerable / Not Vulnerable • Do not click links • Policies, procedures, and compliance measure security • Log everything (You never know what you need) • Patch, patch. Threats only use exploits • Our security tools will save use -17 -
Intelligent Threat Actor Common Threat Actors • Criminals • Hacktivists • State Sponsored • Insider Does the type really matter? • Behind every piece of malware, there is a person • Behind every hack, there is a person • Does this person know you have a comprehensive security program? Where do we focus on threat’s actions? -18 -
-19 -
Definitions Blue Team Security team that defends against threats Command Control / C 2 Command Control (C 2) is the influence an attacker has over a compromised computer system they control. Exfiltration is the extraction of information from a target. This is typically through a covert channel. IOC (Indicator of Compromise) Indicators of Compromise (IOC) are artifacts that identify or describe threat actions. OPFOR Opposing Force or enemy force typically used by the military in war gaming scenarios. Red Teams are commonly associated with or support OPFOR in war gaming scenarios. Operational Impact An operational impact is the effect of a goal driven action within a target environment. ROE (Rules of Engagement) The Rule of Engagement establishes the responsibility, relationship, and guidelines between the Red Team, the customer, the system owner, and any stake holders required for engagement execution. Red Team A Red Team is an independent group that challenges an organization to improve its effectiveness. TTPs are Tactics, Techniques and Procedures (sometimes called tools, techniques, and procedures) Threat is an expression of intention to inflict evil, injury, or damage. Threat Emulation is the process of mimicking the TTPs of a specific threat. Tradecraft The techniques and procedures of espionage. Tradecraft is typically associated with the intelligence community. TTPs and Tradecraft are used interchangeably in this course. -20 -
Red Teaming Definition Red Teaming Red Team … is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes, and technology used to defend an environment. . an independent group that challenges an organization to improve its effectiveness. -21 -
Threat Based Assessments through Red Teaming… • measures the effectiveness of the people, processes, and technology used to defend a network • trains and/or measures Blue Teams • can test and understand specific threats or threat scenarios "We don't rise to the level of our expectations, we fall to the level of our training. ", Archilochus, Greek Poet around 650 BC -22 -
Red Teaming VS Other Security Tests DEPT H Vulnerability Assessment Penetration Testing Red Teaming BREADTH -23 -
Red Teaming VS Vulnerability Assessment According to the NIST, a Vulnerability Assessment is a “… Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. ” Think About This: A red team(threat) rarely uses vulnerability scanning tools during an engagement -24 -
Red Teaming VS Penetration Testing According to the NIST Special Publication 800 -53 (Rev. 4) CA-8, Penetration testing is defined as “… a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries…. ” VS Red Teaming is the process of using TTPs to emulate a threat with the goals of training/measuring security operations (Blue Team). -25 -
PDRR Observation and Measurement Coverage Protect Detect Respond Restore • Reduce Attack Surface • Good Security Hygiene Vulnerability Assessment Penetration Test • Measure Security Operations as a whole • Train and engage Blue Teams Red Team Engagement -26 -
Red Teaming Take Away • Vulnerabilities and exploits may be used, but are only as a means to a end. Focus on goals and organizational impacts! • Organizational and operational impacts can be extremely valuable (examples) • • Measure the ability a threat has to laterally move through out a network Measure the ability a threat has to escalate privileges Measure the ability a threat has to exfiltrate sensitive data Can a threat degrade, disrupt, deny, or destroy operations? • Training is key. Blue teams must practice before facing a real threat. -27 -
Understanding Risk Through Threat Actions Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) • Framework, knowledge base, and model for cyber adversary behavior • Focused on threat TTPs and Tradecraft vs exploits and vulnerabilities • https: //attack. mitre. org/wiki/Main_Page Threat Hunter Playbook • https: //github. com/Cyb 3 r. Ward 0 g/Threat. Hunter-Playbook • https: //cyberwardog. blogspot. com/ -28 -
MITRE ATT&CK -29 -
Using IOCs to Measure Security C 2 C 2 HTTP/80 Agent (standard user) Workstations -30 - Workstations Servers SMB Agent (system user) Workstations Data
Threat Profile Category Description General mid-tiered threat that uses common offensive tools and techniques Goal and Intent Exist in the network to enumerate systems and information in order maintain command control to support future attacks and to determine if and when a Blue Team can detect and identify the threat’s IOCs Key IOCs • • C 2 Overview HTTP on port 80 Cobalt Strike Beacon with a 1 -minute callback time Calling directly to threat owned domains Cobalt Strike HTTP beacon on TCP 80 Cobalt Strike SMB beacon on TCP 445 TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc. ) Assumed breach model, no initial delivery via exploitation. POST exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST exploitation. Exploitation Assumed breach model, no exploitation. Persistence User level persistence using explorer. exe DLL hijack (linkinfo. dll) WMI Event Persistence (msupdate. exe) -31 -
Disk IOC Overview IOCs • • IOCs HTTP traffic over TCP port 80 beacons every 60 seconds with a 20% jitter (drift) Payload: linkinfo. dll Location: c: Windowslinkinfo. dll Timestamp: 06: 31 07/13/2009 PM Size: 288, 768 MD 5: 4 a 247 a 94 bd 215 f 081 c 04 ef 235 d 158 ce 1 Metadata: • Company: Microsoft Corporation • Description: Windows Volume Tracking • Product: Microsoft « Windows « Operating System • Prod version: 6. 1. 7600. 16385 • File version: 6. 1. 7600. 16385 (win 7_rtm. 090713 -1255) • • -32 - SMB beacon using on demand access Payload: msupdate. exe Location: c: Windowsmsupdate. exe Timestamp: 06: 31 07/13/2009 PM Size: 290, 816 MD 5: 81401996518 d 462 fba 52 a 345 b 63 ef 918 Metadata: • Company: Microsoft Corporation • Description: Host Process for Windows Services • Product: Microsoft « Windows « Operating System • Prod version: 6. 1. 7600. 16385 • File version: 6. 1. 7600. 16385 (win 7_rtm. 090713 -1255)
HTTP Beacon Network IOC Overview HTTP IOC GET /v 11/3/windowsupdate/selfupdate/WSUS 3/v 6 muredir. cab? v=T 2 Yw 28 y-t_h. Tdf. BSImdz. Qw HTTP/1. 1 Accept: text/html, application/xhtml+xml, application/xml; q=0. 9, */*; q=0. 8 Host: download. windowsupdate. com Accept-Language: en-US, en; q=0. 5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5. 0 (Windows NT 6. 3; Trident/7. 0; rv: 11. 0) like Gecko POST /v 11/2/windowsupdate/selfupdate/WSUS 3/Nz. Ix. Mg HTTP/1. 1 Accept: text/html, application/xhtml+xml, application/xml; q=0. 9, */* Content-Type: application/x-www-form-url-encoded Host: download. windowsupdate. com Content-Length: 29 User-Agent: Mozilla/5. 0 (Windows NT 6. 3; Trident/7. 0; rv: 11. 0) like Gecko HTTP/1. 1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8. 5 X-Powered-By: ASP. NET Connection: close Content-Length: 64 status=i. Vt. M 41 G 4 g. Rns. NKaoc. Ua. OTw HTTP/1. 1 200 OK Cache-Control: private, max-age=0 Content-Type: application/octet-stream Vary: Accept-Encoding Server: Microsoft-IIS/8. 5 X-Powered-By: ASP. NET Connection: close Content-Length: 0 . . . 3. . X. . . T. . f. 7. . . &. . DZ. p. . `. /. CG. @. . b. . h. . . . C. . -33 -
In Conclusion • Threat should have a vote to what is implemented in security operations • Red teaming may identify vulnerabilities and exploits, but they are only a means to an end. Focus on threat-actor Goals !! • Measuring a threat’s ability impact to an organization’s operations can be extremely valuable • What ability does a threat have to degrade, disrupt, deny, or destroy operations? • MITRE ATT&CK can help • Training is key. Blue teams (defensive teams) must practice before they can or should be expected to deal with a real threat! -34 -
Red Teaming and Threat Emulation Training SANS • SEC 564 Red Team Operations and Threat Emulation https: //sans. org/sec 564 Specter. Ops • Adversary Tactics: Red Team Operations • Adversary Tactics: Active Directory • Adversary Tactics: Powershell • Adversary Tactics: Detection https: //specterops. io/resources/upcoming-events -35 -
Twitter: @joevest Email: joe@specterops. io Blog: threatexpress. com https: //www. linkedin. com/in/joe-vest -36 -
- Slides: 36